mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update secrets, cleanup

Browse Source
This commit is contained in:
mjallen18
2025-01-22 17:52:48 -06:00
parent fe0916e255
commit a6ec7beff9
8 changed files with 51 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
hosts/nas/apps/arrs/default.nix
View File

@@ -1,7 +1,6 @@
{ {
config, config,
pkgs, pkgs,
lib,
... ...
}: }:
@@ -9,6 +8,7 @@ let
radarrPort = 7878; radarrPort = 7878;
sonarrPort = 8989; sonarrPort = 8989;
sabnzbdPort = 8280; sabnzbdPort = 8280;
delugePort = 8112;
jackettPort = 9117; jackettPort = 9117;
radarrDataDir = "/var/lib/radarr"; radarrDataDir = "/var/lib/radarr";
downloadDir = "/downloads"; downloadDir = "/downloads";
@@ -19,8 +19,11 @@ let
mediaDir = "/media"; mediaDir = "/media";
arrUserId = config.users.users.nix-apps.uid; arrUserId = config.users.users.nix-apps.uid;
arrGroupId = config.users.groups.jallen-nas.gid; arrGroupId = config.users.groups.jallen-nas.gid;
sonarrPkg = pkgs.stable.sonarr; radarrPkg = pkgs.unstable.radarr;
sonarrPkg = pkgs.unstable.sonarr;
delugePkg = pkgs.unstable.deluge;
jackettPkg = pkgs.unstable.jackett; jackettPkg = pkgs.unstable.jackett;
sabnzbdPkg = pkgs.unstable.sabnzbd;
in in
{ {
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
@@ -38,7 +41,6 @@ in
config = config =
{ {
config,
pkgs, pkgs,
lib, lib,
... ...
@@ -59,6 +61,7 @@ in
user = "arrs"; user = "arrs";
group = "media"; group = "media";
dataDir = radarrDataDir; dataDir = radarrDataDir;
package = radarrPkg;
}; };
# Enable Sonarr service # Enable Sonarr service
@@ -68,7 +71,7 @@ in
user = "arrs"; user = "arrs";
group = "media"; group = "media";
dataDir = sonarrDataDir; dataDir = sonarrDataDir;
# package = sonarrPkg; package = sonarrPkg;
}; };
# Enable Sabnzbd service # Enable Sabnzbd service
@@ -78,6 +81,7 @@ in
user = "arrs"; user = "arrs";
group = "media"; group = "media";
configFile = "${sabnzbdConfig}/sabnzbd.ini"; configFile = "${sabnzbdConfig}/sabnzbd.ini";
package = sabnzbdPkg;
}; };
services.deluge = { services.deluge = {
@@ -86,6 +90,7 @@ in
group = "media"; group = "media";
openFirewall = true; openFirewall = true;
dataDir = "/media"; dataDir = "/media";
package = delugePkg;
web = { web = {
enable = true; enable = true;
port = 8112; port = 8112;
@@ -225,11 +230,11 @@ in
} }
{ {
destination = "10.0.1.51:8112"; destination = "10.0.1.51:8112";
sourcePort = 8112; sourcePort = delugePort;
} }
{ {
destination = "10.0.1.51:9117"; destination = "10.0.1.51:9117";
sourcePort = 9117; sourcePort = jackettPort;
} }
]; ];
}; };

9
hosts/nas/apps/jellyseerr/default.nix
View File

@@ -1,9 +1,4 @@
{ { ... }:
config,
pkgs,
lib,
...
}:
let let
jellyseerrPort = 5055; jellyseerrPort = 5055;
@@ -27,8 +22,6 @@ in
config = config =
{ {
config,
pkgs,
lib, lib,
... ...
}: }:

5
hosts/nas/apps/ollama/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, ... }: { config, ... }:
{ {
services.ollama = { services.ollama = {
enable = true; enable = true;
@@ -16,9 +16,8 @@
port = 8888; port = 8888;
openFirewall = true; openFirewall = true;
# stateDir = "/media/nas/ssd/nix-app-data/open-webui"; # stateDir = "/media/nas/ssd/nix-app-data/open-webui";
environmentFile = config.sops.secrets."jallen-nas/open-webui".path;
environment = { environment = {
OAUTH_CLIENT_ID = "P4YrtPrdwoQkwYs4e5AHQx7xiz4FV6OpT24rjqXa";
OAUTH_CLIENT_SECRET = "XpZ1Y9RUMD6FVxBSxg8evHkRYuSUJ3saN99uCFfeNo4Z8vrmnqZBHJQzSSCFig1fgqEYCr3SmcOvCHGHUsz9FJT2aZFlZxKv6bZZpuMQYASHiQtuX2pTVEspiNab3129";
OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration"; OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration";
OPENID_PROVIDER_NAME = "authentik"; OPENID_PROVIDER_NAME = "authentik";
ENABLE_OAUTH_SIGNUP = "true"; ENABLE_OAUTH_SIGNUP = "true";

15
hosts/nas/apps/paperless/default.nix
View File

@@ -1,14 +1,15 @@
{ {
config, config,
pkgs, pkgs,
lib,
... ...
}: }:
let let
paperlessPort = 28981; paperlessPort = 28981;
paperlessUserId = config.users.users.nix-apps.uid; paperlessUserId = config.users.users.nix-apps.uid;
paperlessGroupId = config.users.groups.jallen-nas.gid; paperlessGroupId = config.users.groups.jallen-nas.gid;
passwordFile = config.sops.secrets."jallen-nas/admin_password".path; paperlessSecret = config.sops.templates."paperless-secret".content;
clientId = config.sops.templates."paperless-client-id".content;
clientSecret = config.sops.templates."paperless-client-secret".content;
paperlessPkg = pkgs.stable.paperless-ngx; paperlessPkg = pkgs.stable.paperless-ngx;
in in
{ {
@@ -22,8 +23,6 @@ in
config = config =
{ {
config,
pkgs,
lib, lib,
... ...
}: }:
@@ -38,10 +37,10 @@ in
passwordFile = "/var/lib/paperless/paperless-password"; passwordFile = "/var/lib/paperless/paperless-password";
settings = { settings = {
PAPERLESS_URL = "https://paperless.jallen.dev"; PAPERLESS_URL = "https://paperless.jallen.dev";
PAPERLESS_SECRET = "Luciferthecat03092024"; PAPERLESS_SECRET = paperlessSecret;
PAPERLESS_ENABLE_ALLAUTH = true; PAPERLESS_ENABLE_ALLAUTH = true;
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
PAPERLESS_SOCIALACCOUNT_PROVIDERS = ''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"OZhMnBUxwJvpjkUhs4ISgA0iAWA7etgTXaohLCED","secret":"UrwdWObeyoEI1AogXcjV8SwYsJ585Wkh5YxDH5wFPXZxp8IVV9QNsn32PIAv6h9BdjaiiMrOFayaW3uXyZYg71olG5OQ1qGaD6WYn0EijYBwxoEuvp7LIdMJ4lImhVR1","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}''; PAPERLESS_SOCIALACCOUNT_PROVIDERS = ''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${clientId}","secret":"${clientSecret}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}'';
}; };
}; };
@@ -88,10 +87,6 @@ in
hostPath = "/media/nas/ssd/nix-app-data/paperless"; hostPath = "/media/nas/ssd/nix-app-data/paperless";
isReadOnly = false; isReadOnly = false;
}; };
# "/run/keys/paperless-password" = {
# hostPath = passwordFile;
# isReadOnly = true;
# };
}; };
}; };

8
hosts/nas/networking.nix
View File

@@ -1,17 +1,11 @@
{ config, pkgs, ... }: { ... }:
let let
hostname = "jallen-nas"; hostname = "jallen-nas";
ipAddress = "10.0.1.18";
ipAddress2 = "10.0.1.19";
gateway = "10.0.1.1";
ports = [ ports = [
9000 # authentik 9000 # authentik
2342 # grafana 2342 # grafana
51820 # wireguard 51820 # wireguard
]; ];
wireguard-private = config.sops.secrets."jallen-nas/wireguard/private".path;
wireguard-public = "r03IJPnTaSNmhVYIdQr+TGasox6NAUrgW8ycm/sac08=";
in in
{ {
# Networking configs # Networking configs

2
hosts/nas/services.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { pkgs, ... }:
let let
enableDisplayManager = true; enableDisplayManager = true;
in in

33
hosts/nas/sops.nix
View File

@@ -34,14 +34,14 @@
restartUnits = [ "podman-nextcloud.service" ]; restartUnits = [ "podman-nextcloud.service" ];
}; };
sops.secrets."jallen-nas/manyfold/secretkeybase" = {
restartUnits = [ "podman-manyfold.service" ];
};
sops.templates."nextcloud-smtp".content = '' sops.templates."nextcloud-smtp".content = ''
${config.sops.secrets."jallen-nas/nextcloud/smtppassword".path} ${config.sops.secrets."jallen-nas/nextcloud/smtppassword".path}
''; '';
sops.secrets."jallen-nas/manyfold/secretkeybase" = {
restartUnits = [ "podman-manyfold.service" ];
};
sops.secrets."jallen-nas/immich/db-password" = { sops.secrets."jallen-nas/immich/db-password" = {
restartUnits = [ "podman-immich-postgres.service" ]; restartUnits = [ "podman-immich-postgres.service" ];
}; };
@@ -61,16 +61,27 @@
restartUnits = [ "podman-immich-server.service" ]; restartUnits = [ "podman-immich-server.service" ];
}; };
sops.secrets."jallen-nas/wireguard/private" = { sops.secrets."jallen-nas/open-webui" = {
# restartUnits = [ "podman-immich-server.service" ]; restartUnits = [ "open-webui.service" ];
}; };
sops.secrets."jallen-nas/wireguard/public" = { sops.secrets."jallen-nas/paperless/secret" = {
# restartUnits = [ "podman-immich-server.service" ]; restartUnits = [ "container@paperless.service" ];
}; };
sops.templates."paperless-secret".content = ''
sops.templates."wireguard-public".content = '' ${config.sops.secrets."jallen-nas/paperless/secret".path}
"${config.sops.placeholder."jallen-nas/wireguard/public"}" '';
sops.secrets."jallen-nas/paperless/authentik-client-id" = {
restartUnits = [ "container@paperless.service" ];
};
sops.templates."paperless-client-id".content = ''
${config.sops.secrets."jallen-nas/paperless/authentik-client-id".path}
'';
sops.secrets."jallen-nas/paperless/authentik-client-secret" = {
restartUnits = [ "container@paperless.service" ];
};
sops.templates."paperless-client-secret".content = ''
${config.sops.secrets."jallen-nas/paperless/authentik-client-secret".path}
''; '';
# Permission modes are in octal representation (same as chmod), # Permission modes are in octal representation (same as chmod),

11
secrets/secrets.yaml
View File

@@ -21,6 +21,11 @@ jallen-nas:
server-db-password: ENC[AES256_GCM,data:NtNMYemg+Se0CKT7yF7Yqso+33gCZn4=,iv:9lp0GoQY+I+2u/O/PFEu97H++HXDWgL1bxlOYqWfzyY=,tag:kILw1T9Ne7nSoIET4SSrOA==,type:str] server-db-password: ENC[AES256_GCM,data:NtNMYemg+Se0CKT7yF7Yqso+33gCZn4=,iv:9lp0GoQY+I+2u/O/PFEu97H++HXDWgL1bxlOYqWfzyY=,tag:kILw1T9Ne7nSoIET4SSrOA==,type:str]
server-db-name: ENC[AES256_GCM,data:bMXo9Jds5l0p9eYEPmquHQ8wwxbM+c0=,iv:fkb0P9uD9oMTOl5OuK7QDOxgJVfquKLaMfoPhRTwsAk=,tag:2Kat49n3odcVhn34c7+rig==,type:str] server-db-name: ENC[AES256_GCM,data:bMXo9Jds5l0p9eYEPmquHQ8wwxbM+c0=,iv:fkb0P9uD9oMTOl5OuK7QDOxgJVfquKLaMfoPhRTwsAk=,tag:2Kat49n3odcVhn34c7+rig==,type:str]
server-db-user: ENC[AES256_GCM,data:od8C91VJVK/cWCl824gCRqnOAC7mGA==,iv:mHJnrpKoD3c0z/XuUwFMHm8pDrOHoVzIloOS2U4IHzg=,tag:xE44Svdg/RWTe1i9Q43QQQ==,type:str] server-db-user: ENC[AES256_GCM,data:od8C91VJVK/cWCl824gCRqnOAC7mGA==,iv:mHJnrpKoD3c0z/XuUwFMHm8pDrOHoVzIloOS2U4IHzg=,tag:xE44Svdg/RWTe1i9Q43QQQ==,type:str]
open-webui: ENC[AES256_GCM,data:ZztFlXorZUFO8LywGRCYAWjmAsPwTBAEza4Wz88HoHtzp5q+qTLr500wJEtaHoC+rJze8bAajSj/rKx8n1XzbQKylDyV4opua5LErKGaiUZbFEm0jPCkpwWxmVJVde6yOMd8fboT2i4K8PMr7y2bOwqqczygDTIR77JbwdUID4nksVYjnv1RbBdJlefNxMMnK+vBPgCokrDOCWUvASVUDKg5OzSMMXQT+bvZuhIydDJv1gRz3XLG78PW0wQI9evKunfouK6eORgABe3zZQ==,iv:uJk5IrM+cDlz4dNTEAurg4vEMew5kGVCf3kqrKAUoMU=,tag:dlzFjr//fbVP5vP/67dELg==,type:str]
paperless:
secret: ENC[AES256_GCM,data:qrwi13OLSM1Oww4pttfblrjvsdPR,iv:IITw2M6YfoSP3nECeUPWlhr56n7u03ivp8+fx5MDd54=,tag:4thPUaa2ueO95LOB5SiL6w==,type:str]
authentik-client-id: ENC[AES256_GCM,data:8kHTmnT4kbxrN7Kyet1eu1KB+jA7bBx1Zs64cn5VZm0VjdSfYOwxxA==,iv:iTgsd9XWnRCQoBxj0QVjbIrSjPoYdnXv4lmn3qfllUA=,tag:CDAWMAOQ6X2sbu8RD8oiBw==,type:str]
authentik-client-secret: ENC[AES256_GCM,data:WROqpqGQrZ8+Xy6v4dxABfqWs4lPDnl/OdsD2xvw5nqZ8mD66IJMx5eoS9UJ1aIOAr0bvQCUyMtC+xzSMcEORCmMoxT7qfg2rV6KZgRzDtRGt1loYdHECXpz1hGAc87YwiD8fVrEsuTAmlK8N6tmmfie5o6QakcFeoTpZSlAUJ0=,iv:fQg5itx52OIZeqBSylSbwtR7FD/8kF0YiDZ0jguIKus=,tag:yIm8q0PJQVDt7F4IIljbdg==,type:str]
wireguard: wireguard:
private: ENC[AES256_GCM,data:/nOkn5nMrEEeKi1ySo9fAp+r1lQL02k0FZA99hUIKq7THvVWNaQ/Z6paoJU=,iv:iCTfGSdjJ0wMwv/34dv2ygKSm3qAJq6czOErMaFqHtg=,tag:EJZzBlVB5FSvveo5MWtC1g==,type:str] private: ENC[AES256_GCM,data:/nOkn5nMrEEeKi1ySo9fAp+r1lQL02k0FZA99hUIKq7THvVWNaQ/Z6paoJU=,iv:iCTfGSdjJ0wMwv/34dv2ygKSm3qAJq6czOErMaFqHtg=,tag:EJZzBlVB5FSvveo5MWtC1g==,type:str]
public: ENC[AES256_GCM,data:rOmyhwpolxNV2JroLdh90gYAuCGNZu/gY5NBxkHHNJ+qEblmDsom9alNHMQ=,iv:bF+XCO9lPHopLCEILTT4gA349d/Sa5qReSKN70EA3d4=,tag:Yx2TL/37n5Uohlwnlx97vg==,type:str] public: ENC[AES256_GCM,data:rOmyhwpolxNV2JroLdh90gYAuCGNZu/gY5NBxkHHNJ+qEblmDsom9alNHMQ=,iv:bF+XCO9lPHopLCEILTT4gA349d/Sa5qReSKN70EA3d4=,tag:Yx2TL/37n5Uohlwnlx97vg==,type:str]
@@ -60,8 +65,8 @@ sops:
UGhsN2N0Mjl3UEJvUVlGRlJiN05WaUkKW37lU4G4CLTo6JoHC2OyhKsG/FuO+BiN UGhsN2N0Mjl3UEJvUVlGRlJiN05WaUkKW37lU4G4CLTo6JoHC2OyhKsG/FuO+BiN
pzlVJwzRnmAqwklRbc6RMbQLl2EQrp6KQcgYsUxCMH9OQ/9WJ98dxQ== pzlVJwzRnmAqwklRbc6RMbQLl2EQrp6KQcgYsUxCMH9OQ/9WJ98dxQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-17T19:16:19Z" lastmodified: "2025-01-22T23:41:50Z"
mac: ENC[AES256_GCM,data:d2xWXNFCgb7egUOJSXRC4lDBbPhRoNrhM5iz0JSCW4chmQuqW0JabwDLzW0PubSqsde2pw2fx7A2mgrhib/1zyyPG8ViYijO3xyBn0EX78vJuJoikVV/KE7c3ffzxuRCB6kwCJ+6mZEYeRR+daoCfJ/ZI48DiCYuGP1rMOAjtTs=,iv:s2riiffa/qyzaJLGfLEQG52z/fdLFb4pC/Gdb/yfbWI=,tag:8JjcN78FbTJzizi/jO3irw==,type:str] mac: ENC[AES256_GCM,data:Sim5O8dLkq4k4TTTqCSvtiPxUpIJKKhhBcUsQFPkvyaHfLriDawhDANFY9c2DZHIDN0pQJuQ8h/a3AsXqq+lfXAtOGQeMkrDaEG6L9rk22QPKpXcPlRfF940r1CUYY1bmjxSd6+8fIYJPyPE7svPzseIyPFfmM9vNZmOhyXmeJ4=,iv:v0UoG3iGWzZS46LctHKF+4cEw/6Er0NKOKJiIX8OD6Y=,tag:LUk7aUdbIjdX1w6aeu5h5A==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.3